How can I resolve the FSLogix "Media is write protected" issue?

How can I resolve the FSLogix "Media is write protected" issue?

There are cases when the FSLogix user profile may fail to attach due to the "Deny write access to fixed drives not protected by BitLocker" policy. This policy, enforced through Microsoft Intune, Microsoft Defender, or Group Policy Objects (GPOs), requires encryption on disks, and causes "The media is write protected" error.

This issue can be resolved in different ways depending on the policy enforcement method:

Warning: The steps below are recommendations for resolving the FSLogix "The media is write protected" error. Before you implement any policy changes, please consult with your Security team to ensure the changes align with your organization's policies. You may want to create a custom policy specifically for your AVD hosts, separate from the rest of your environment.

Microsoft Intune

Note: If your Nerdio Manager install is configured to use Intune management, you can replace the endpoint security policy with a known working policy and skip the steps below.

To edit the Intune BitLocker policy:

  1. Sign in to Microsoft Intune admin center with your customer’s credentials.

  2. Navigate to Endpoint security > Disk encryption > [BitLocker policy name].

  3. On the Configuration settings tab, in the Fixed Data Drives section, change the Deny write access to fixed drive not protected by BitLocker value from Enabled to Not configured or Disabled (default).

  4. Save and synchronize your Intune policies.

  5. Once the policy has synchronized, sign in to your session host again.

Group Policy Objects (GPOs)

Edit your customer's GPO BitLocker policy from the Domain Controller.

To edit the GPO with the BitLocker settings:

  1. Sign in to your customer’s Domain Controller.

  2. Open the Group Policy Management console.

  3. Locate and edit the GPO with the BitLocker settings.

  4. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives.

  5. Double-click the Deny write access to fixed drives not protected by BitLocker object option.

  6. Change the setting from Enabled to either Not Configured or Disabled.

  7. Run the GPUpdate command on the session host.

  8. Once the policy has synchronized, sign in to your session host again.

Windows Registry

Edit your customer's FVE policy from the Windows Registry Editor.

To edit the FVE policy:

  1. Open the Windows Registry Editor and go to the following Registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

    Note: If you don't have the key, create it manually.

  2. Create a new 32-bit DWORD key value: FDVDenyWriteAccess.

  3. Set the value to zero to disable the policy.

  4. Restart the AVD host.

  5. Once the session host is restarted, sign in to the host again.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.